I set the Spring Security SAML Extension as a 'SP' integrated with my web app. Single sign on works fine.
When a user selects global log out from my web app, he is logged out both from SP and IDP and does not allow to access protected web pages again. This is right.
But then a user selects log out from another web app (in the same trust circle). I checked from log that IDP sends samlp:LogoutRequest to SP, and SP sends back saml2p:LogoutResponse with Success to IDP. This user now is certainly logged out from IDP. But it seems this user session is not killed, this user still be able to access protected web pages!!! This is wrong.